It’s a technique known as social engineering, and while it’s been around for as long as there have been confidence tricksters trying to con people out of their hard-earned cash, the internet has made fraud that much easier.
Let’s learn how these attacks work and what you can do to protect yourself.
Social engineering is a psychological attack where a fraudster tricks you into doing something you shouldn’t do through manipulation techniques. Con artists are as old as time, but today’s technology makes it much easier for any attacker from anywhere in the world to pretend to be anything or anyone, and target anyone around the world, including you.
Let’s take a look at some examples:
You receive a phone call from someone claiming to be from SARS informing you that your tax is overdue and that if you do not pay them right away you will be fined or arrested. They then pressure you to pay over the phone with a credit card, or EFT, warning you that if you don’t pay you could go to jail. The caller isn’t really from SARS, but an attacker attempting to trick you into giving them money.
Cyber criminals continue to come up with resourceful ways to fool people. A new type of scam is gaining popularity— personalised scams. Cyber criminals find or purchase information about millions of people (usually accessed through a hack or data breach and then sold on the Dark Web), then use that information to personalise their attacks. The more you know about these scams, the easier it is for you to spot and stop them.
Email or phone call scams are not new – cyber criminals have been attempting to deceive people for years. Examples include the “You Won the Lottery” or the infamous Nigerian Prince scams. However, in these traditional scams cyber criminals do not know who they are targeting. They simply create a generic message and send it out to millions of people, hoping someone takes the bait.
Because these scams are so generic, they are usually easy to spot. A personalised scam is different. Like there more generic counterparts, they use tactics to drive urgency, but with personalised attacks their number one weapon is fear – fear of being fined, losing money or facing disciplinary action at work because of not following a manager’s order.
Here’s an example of a fear-based scam that leverages your personal information: The scammer acquires information on people’s logins and passwords obtained from hacked websites. They find your account information and send you (and everyone else in the database) an email with some personal details about you, including the original password you used on the hacked website. The criminal refers to your password as “proof” of having hacked your own computer or device, which is of course not true. The criminal then claims that while they hacked your computer they also caught you viewing inappropriate content online. The email then threatens that if you do not pay their extortion fee, they will share with your family and friends evidence of embarrassing online activities.
The catch is, in almost every situation like this the cybercriminal never actually hacked your system. They don’t even know who you are or which websites you’ve visited. The scammer is simply attempting to use the few personal details they have about you to scare you into believing they hacked your computer or device, and to trick you into paying them money. Remember, bad guys can use the same techniques for a phone call scam also.
It’s natural to feel scared when someone has personal information about you, but it’s important to remember that most of the time, the sender is lying. The attack is a part of an automated mass-scale campaign, not an attempt to directly target you. Keep in mind, social engineering attacks like these are not limited to phone calls or email; they can happen in any form including text messages, over social media, or even in person. The key is to know what clues to look out for:
If you suspect someone is trying to trick or scam you, stop communicating with the person. Remember, common sense is your best defense.
In addition, enable two-step verification (multi-factor authentication) whenever possible. We also recommend you always use a unique, passphrase for each of your online accounts. Can’t remember all your passwords? Use a password manager.